TV5 Monde Malware Attack – A Cautionary Tale and Lessons Learned

October 26, 2016

In April 2015, France’s TV5 Monde launched a new station, bringing its media offering to 12 channels, when it suffered a crippling malware attack that took all 12 channels off the air.

Highly targeted malicious software was being used to destroy the TV network’s encoder systems through which programs are transmitted. The financial lifeblood of a network, in addition to advertising revenue, is its satellite distribution channels, the quick moving attack posed an existential threat to the media entity, and sparked a race against time. As the malware proceeded to corrupt more and more systems with every passing minute, the likelihood increased that the network would have to forfeit lucrative contracts due to the delay in content provision.

During the attack, an on-site technical resource was able to successfully identify the breached endpoint that was pushing out the highly destructive, custom designed malware to other endpoints within the enterprise network. The machine in question was promptly removed from the network and the attack was stopped.

This was pure luck, the technical expert happened to be on-site because he’d been setting up the new channel, launched hours previously. Had the circumstances been any different, there would have been no way to react rapidly enough to stop the attack before it had succeeded in taking the entire TV5 Monde network down as a functioning business.

The Aftermath of the Malware Attack

The Cyber Caliphate immediately took credit for the attack, but investigators subsequently determined that the source of the attack was the Russian hacking group APT 28. The forensic investigation uncovered two notable things:

First, the attackers initially penetrated the network on January 23 – about 2 ½ months prior to the attack launching.

Second, was that the attackers used seven different points of entry – and not all of them were part of TV5Monde systems or even located in France. In one case, a company based in the Netherlands was targeted because it supplied the remote controlled cameras used in TV5’s studios.

While the network was ultimately saved, it came at a significant financial cost – to the tune of $5.6 Million in 2015 and over $3.4 Million committed for every following year for supplemental defensive technologies. In addition to financial costs, TV5 Monde – as a media company whose business is based on moving material in and out of its systems – has suffered a significant and detrimental impact on efficiency brought about by behavioral changes. In the immediate aftermath of the attack staff resorted to using faxes rather than emails, and even now special authentication procedures are followed to check emails from abroad and flash drives are tested prior to every use. The damage to operational efficiency has been tangible and lasting – the attack has permanently changed the way the business functions, and not for the better.

Prevention Was Possible

Arguably the critical and defining characteristic of the attack was that the malware breached and persisted undetected for over 2 months before the April 2015 attack. This provided an opportunity to detect the malware and address it before APT 28 was able to launch their attack, if the enterprise had such a capability.

The underlying problem at TV5 Monde was that there was no capability to detect malware that had breached defenses and was running undetected. Essentially they had accepted a narrative focused around reactive security from vendors, and it had perpetuated a false sense of security. Their subsequent costly investment in more real time defensive layers will do nothing to guarantee that malware won’t breach again. Their behavioral changes will not protect them either, and slows down operational efficiency.

Defining and Managing the Breach Detection Gap

It’s clear that the current standard security practices are not adequate to protect against all breaches. Enterprises need to approach threat detection from a completely new perspective to ensure there’s a safety net when other controls fail. To this end, they need to start defining and managing their breach detection gap, the period of time between when malware first executes and when it is detected.

The key steps that guide this process are:

Organizations need to determine an acceptable “breach discovery window” for threats that have slipped through existing defenses; then

They must enforce it by proactively hunting for malware that has breached in order to discover it within the agreed time frame.

The following 4 key principles are instrumental to supporting the process:

Accept that malware and APTs will breach existing defenses; and

Endpoints should be treated as untrusted until proven otherwise; and

Any trust established is both finite and fleeting; and

Endpoints need to be validated as malware free, anytime, anyplace.

When organizations approach endpoint security from this proactive perspective, the sole reliance on defensive technologies is removed. To ignore this approach and continue to invest solely in defensive technologies that cannot wholly protect an enterprise’s corporate data is to accept the inevitability of the significant consequences of dealing with a breach – as TV5 Monde underwent in April 2015.

More from our blog

A Brief History of Forensic State Analysis Prior to starting Infocyte, our co-founders, Chris Gerritz and Russ Morris, created the first enterprise-scoped threat hunting team for the entire U.S. Department of Defense. Their teams were responsible for hunting, detecting, and responding to highly sophisticated attacks across an 800,000-node network. With virtually unlimited resources and access…

In Q1, we released new tools to assist cybersecurity incident responders. One of those new features is a root cause analysis tool, is designed to help IR teams trace the source of suspicious activity or identified threats across their environment. This blog introduces the new root cause analysis (RCA) feature, Activity Trace, and how it…

An Overview of False Positives and False Negatives Understanding the differences between false positives and false negatives, and how they’re related to cybersecurity is important for anyone working in information security. Why? Investigating false positives is a waste of time/resources and distracts your team from focusing on real cyber incidents (alerts) originating from your SIEM.…